Regulatory Compliance Consulting

BREAKING! The FDA just released this draft guidance, titled Artificial Intelligence-Enabled Device Software Functions: Lifecycle Management and Marketing Submission Recommendations, that aims to provide industry and FDA staff with a Total Product Life Cycle (TPLC) approach for developing, validating, and maintaining AI-enabled medical devices. The guidance is important even in its draft stage in providing more detailed, AI-specific instructions on what regulators expect in marketing submissions; and how developers can control AI bias. What’s new in it? 1) It requests clear explanations of how and why AI is used within the device. 2) It requires sponsors to provide adequate instructions, warnings, and limitations so that users understand the model’s outputs and scope (e.g., whether further tests or clinical judgment are needed). 3) Encourages sponsors to follow standard risk-management procedures; and stresses that misunderstanding or incorrect interpretation of the AI’s output is a major risk factor. 4) Recommends analyzing performance across subgroups to detect potential AI bias (e.g., different performance in underrepresented demographics). 5) Recommends robust testing (e.g., sensitivity, specificity, AUC, PPV/NPV) on datasets that match the intended clinical conditions. 6) Recognizes that AI performance may drift (e.g., as clinical practice changes), therefore sponsors are advised to maintain ongoing monitoring, identify performance deterioration, and enact timely mitigations. 7) Discusses AI-specific security threats (e.g., data poisoning, model inversion/stealing, adversarial inputs) and encourages sponsors to adopt threat modeling and testing (fuzz testing, penetration testing). 8) And proposed for public-facing FDA summaries (e.g., 510(k) Summaries, De Novo decision summaries) to foster user trust and better understanding of the model’s capabilities and limits.

Harvard Law School’s Forum on Corporate Governance has an excellent article on Generative AI and Corporate Boards (link below). The onset of this paradigm shifting technology has major implications for corporate governance, and at WILLIAM FRY LLP we are increasingly being asked to advise on the board level impacts of using (or not using) this technology. For example, do directors have a duty of care to their companies to use this new technology? The article notes that as generative AI becomes increasingly incorporated into companies, corporate boards must adjust their oversight to effectively monitor this technology, and must understand the technology, its potential impacts, and the legal and ethical implications. Several considerations include the potential effects of AI on the company's products, services, and operations, its likely influence on the competitive landscape, relevant regulatory requirements, shareholder obligations, and efficient use and management of AI. Boards must also consider if generative AI needs to be under the purview of existing committees or if it requires a dedicated committee or task force. The article also points out that the board should consider AI's implications for strategic planning and risk management, using it to understand the business environment, identify risks and opportunities, and make informed strategic decisions. However, as the article notes, the technology has pitfalls, including potential misleading or inaccurate content, error-proneness, and legal and ethical issues. As the article points out, AI can significantly enhance corporate boards' operations by better discharging their duties and promoting corporate interests. Despite its risks, boards that thoroughly manage these can gain strategic and competitive advantages while minimising legal and regulatory exposure. Continuous education and awareness about generative AI is crucial for directors to use these tools responsibly. The article suggests that boards should consider creating formal policies for responsible use of generative AI, detailing risk management procedures. These policies should align with the company's specific legal and regulatory environment and be understood and followed throughout the organisation. Additionally, as the article notes, AI can support board operations like director skill evaluation, and board candidate nomination, freeing directors for strategic planning and risk management. Used wisely, generative AI can significantly enhance corporate boards' work. The article sets out that generative AI can support board decisions and improve efficiency, offering opportunities for improved corporate governance. It can aid in streamlining operations, improving decision-making, aligning risk levels, policies, and business goals. Despite its potential benefits, as the article says, challenges exist, requiring a cautious but curious approach to its use, ensuring the company is well-equipped to respond to any risk event.

All risk is enterprise risk. Cybersecurity Risk Management (CSRM) must be part of Enterprise Risk Management (ERM). Many companies think managing cyber risks is: ╳ Just an IT problem. ╳ Isolated from other risks. ╳ A low-priority task. But in reality, it is: ☑ A key part of the entire risk strategy. Here are the key steps to integrate cybersecurity risk into enterprise risk management: 1. Unified Risk Management ↳ Integrating CSRM into ERM helps handle all enterprise risks effectively. 2. Top-Level Involvement ↳ Top management must be involved in managing cyber risks along with other risks. 3. Contextual Consideration ↳ Cyber risks should be considered in the context of the enterprise's mission, financial, reputational, and technical risks. 4. Aligned Risk Appetite ↳ Align risk appetite and tolerance between enterprise management levels and cybersecurity systems. 5. Holistic Approach ↳ Adopt a holistic approach to identify, prioritize, and treat risks across the organization. 6. Common Risk Language ↳ Establish a common language around risk that permeates all levels of the organization. 7. Continuous Improvement ↳ Monitor, evaluate, and adjust risk management strategies continuously. 8. Clear Governance ↳ Ensure clear governance structures to support proactive risk management. 9. Digital Dependency ↳ Understand how cybersecurity risks affect business continuity, customer trust, and regulatory compliance. 10. Strategic Enabler ↳ Prioritize risk management as both a strategic business enabler and a protective measure. 11. Risk Register ↳ Use a unified risk register to consolidate and communicate risks effectively. 12. Organizational Culture ↳ Foster a culture that values risk management as important for achieving strategic goals. Integrating cybersecurity risk into enterprise risk management isn't just a technical task. It's a strategic necessity. 💬 Leave a comment — how does your company handle cyber risk? ➕ Follow Andrey Gubarev for more posts like this

Most MedTech companies treat audits as one-off events. (And it costs a lot more than money) This mindset costs: • Market access • Investor trust • Years of work product • And lots of money    But the biggest cost isn't financial. It's human lives. The ones that depend on life-saving devices that are getting locked out of the market. Not because their technology wasn’t good enough. But because of preventable mistakes. Because they treated compliance as an event. Not a culture. Passing a Notified Body Audit isn’t luck. It’s discipline. It’s daily habits. It’s system-level thinking. Here are 4 ways the best MedTech companies prepare (and how you can too): 1. They build audit-ready systems Your documentation must tell a complete story: • Align QMS to ISO 13485:2016 and MDR Article 10 • Justify risk management with defensible rationales • Show proactive surveillance in PMS reports • Close CAPAs fully with evidence of resolution • Validate claims with clinical performance data 2. They eliminate silent compliance risks Fix problems that quietly undermine audits: • Complete missing risk–benefit rationales • Update and control all key documents • Close gaps in complaint and vigilance logs • Strengthen post-market surveillance • Link CAPAs directly to audit findings 3. They train for audit readiness every day. Turn audit behavior into muscle memory: • Run mock audits and rotate team roles • Train clear, non-speculative auditor responses • Assign scope ownership across all functions • Focus answers — no speculation or improvisation    4. They set up audit execution in advance. Plan logistics that create calm, not chaos: • Prepare a dedicated audit room with indexed files • Assign document fetchers and tech support • Track requests and responses live during audits • Maintain a calm, professional audit environment Here’s the truth: An audit isn’t something you survive. It’s a mirror that reflects how you operate every day. What’s the biggest audit challenge your team is facing right now? ♻️ Find this valuable? Repost for your network. 💡 Follow Bastian Krapinger-Ruether for actionable tips on MedTech compliance and QM.

In a landscape defined by extraterritorial enforcement, third-party exposure, and ethical accountability, the 2022 Overview of Anti-Corruption Compliance Standards and Guidelines (International Anti-Corruption Academy) is a landmark reference—both in scope and operational relevance. Authored by Dr. Eduard Ivanov, this comprehensive synthesis brings together over 60 internationally recognized instruments from the UN, OECD, ISO, FATF, World Bank, ICC, TI, and regional authorities such as the AFA, DoJ, and SFO. 1. From Legal Minimums to Governance-Driven Integrity: The document reinforces that modern anti-corruption programmes must be more than legally compliant—they must be governance-anchored. Sections on “tone from the top,” shareholder accountability, and “tone from the middle” move beyond checkbox exercises and place cultural leadership at the core. Notably, guidance from ISO 37001 and the French AFA requires that senior management not only endorse, but visibly operationalize #anticorruption expectations—with documentation and periodic review by governing bodies. 2. Third-Party Due Diligence and Lifecycle Risk Management: One of the most technically rich sections is the deep dive into #thirdpartyrisk—spanning control, influence, beneficial ownership, sanctions exposure, and reputational impact. It outlines how due diligence must be integrated across onboarding, contracting, monitoring, and offboarding. 3. Benchmarking and Programme Evaluation Are Not Optional: Benchmarking is no longer a luxury for global firms—it is essential to demonstrate effectiveness to regulators. This document cites methodologies from Deloitte, EY, NAVEX, PwC, and academic institutions, calling for comparative maturity assessments and defensible performance indicators (e.g., hotline usage, risk mapping refresh cycles, policy training rates, third-party rejection metrics). 4. Regulatory Intelligence Is Now Embedded in Compliance Design: The overview brings together enforcement expectations across jurisdictions—Sapin II, the UK Bribery Act, FCPA, and FATF standards—showcasing how laws with extraterritorial effect (e.g., U.S. and UK regimes) apply even to unregulated entities through third-party exposure 5. Underserved Areas Now Elevated: Conflicts of Interest, Sponsorship, Gifts, M&A The document fills longstanding gaps in international guidance on: • Conflicts of interest: ICC and UNODC now offer structured prevention and management models. • Charitable donations and political contributions: separated from standard expense controls, with dedicated transparency measures. • Mergers & Acquisitions: guidance from the Wolfsberg Group and FCPA points to pre-acquisition due diligence, post-deal integration audits, and compliance clause triggers in deals #compliance #regulatory #financialcrime #risks

Aligning key sustainability regulations 🌎 Sustainability regulations in the EU are evolving rapidly, with the CSRD, CSDDD, and EU Taxonomy shaping corporate reporting and due diligence requirements. While each framework has a distinct purpose, they share significant overlaps that businesses must navigate efficiently. A structured approach to compliance can help companies reduce reporting burdens while ensuring alignment with regulatory expectations. Understanding how these regulations interact provides opportunities to streamline processes and enhance ESG risk management. Key areas of overlap include impact, risk, and opportunity management, double materiality assessment, due diligence requirements, and minimum safeguard alignment with international standards such as the UNGPs and OECD Guidelines. These common elements form the foundation of an integrated sustainability due diligence system. The EU Omnibus package, expected later this month, seeks to harmonize these regulations further. Its success will depend on maintaining the depth of due diligence requirements while providing companies with greater clarity and efficiency in reporting. For companies already implementing an integrated approach, the Omnibus package may not introduce significant changes. However, for those still working in silos, it could offer a clearer framework for compliance and strategic alignment. Identifying and leveraging regulatory synergies is not just a compliance exercise—it is a way to gain deeper ESG insights, improve sustainability performance, and align with global standards. Organizations that integrate these frameworks effectively will be better positioned to manage risks and create long-term value. As sustainability expectations continue to rise, businesses that proactively align their reporting and due diligence processes will be ahead of the curve. The focus should be on efficiency, transparency, and ensuring that compliance efforts translate into measurable impact. Source: Ramboll #sustainability #sustainable #business #esg #climatechange

Understanding tariff regulations isn’t enough anymore — you need to master the legal workarounds. Temporary Importation Bonds (TIBs) and Foreign Trade Zones (FTZs) are powerful tools that allow companies to avoid paying costly 232 tariffs when importing for re-export or further processing. If you're in global trade, these strategies could protect your bottom line. But there’s no room for shortcuts. Leveraging TIBs or FTZs requires careful planning and compliance. You must post a bond upfront, document everything properly, and follow CBP rules to the letter. A misstep here doesn’t just cost money — it can shut down your entire operation. If you’re serious about protecting your shipments and margins, the time to act is now. Don’t let confusion or hesitation leave your business exposed. Dive deeper into the right strategies here: https://lnkd.in/eZ9bPnPw #TariffStrategy #TradeCompliance #232Tariffs #CustomsStrategy #SupplyChainResilience

The Policy-Control Gap - Why Good Intentions Aren’t Enough Organizations often mistake policies for control. They draft guidelines, issue directives, and assume compliance will follow, without ensuring there is anything in place to enforce them. The result? A false sense of security and increased exposure to risk. Policies alone don’t drive behavior, while effective controls do. Internal audit and risk leaders can bridge this gap by embedding real, measurable mechanisms that detect and deter noncompliance. This would require moving beyond policy reviews and tick-box exercises to testing whether controls actually function in practice. Also assessing the organization’s culture of compliance by determining: - Are employees aware of the policy? - Do they understand the consequences of noncompliance? - Are there clear accountability measures in place? To me, a policy without enforcement is like a shop that sells only right-handed gloves. Strong governance means ensuring that what’s written on paper translates into action. This also means shifting from passive oversight to proactive assurance, testing effectiveness, challenging assumptions, and ensuring that policies don’t just exist but actually work. I welcome your thoughts. #InternalAudit #RiskManagement #theiia #Governance #Compliance #internalauditors #ERM

💰 Money never sleeps and regulation is always (half) awake. So how can regulation guide banks to generate value for customers? It's a difficult process. If real value is not honestly identified, value cannot be digitalised and understood by clients, thus payed for transparently. That's why in my third book of five "MIFID2: Value generation for investors" I researched on the spirit of regulation. I attach to this post introduction and conclusions as PDF, but you can find the full book with this link: 📕 👉 https://lnkd.in/d4rhapfH The wealth managements industry - from retail to private banking - has faced a perfect storm made of unorthodox monetary policies, generational shifts, changes in investor behaviour, new regulations aimed at unveiling the asymmetry of information, huge costs of compliance, and growing capital charges for proprietary trading and intermediation businesses. This has generated needs and opportunities for transformation, of which regulation wants / can be the engine and the driver towards the next generation of financial advice. In the book, I discuss ten ever-green areas of this r-evolution: 1️⃣ Wealth mobility, as clients lost trust in many investment relationships 2️⃣ Fintech competition, as value shifts from incumbents to clients and platforms 3️⃣ Transformation of alpha, as passive investing dominates 4️⃣ Goal-based oriented business models to counter the loss of product fees 5️⃣ Tech platforms, powering independent advisors with cross-product 6️⃣ Forward-looking (probabilistic) net performance, enriching historical analysis 7️⃣ Robo-advisors, evolving into hybrid models focusing on alpha-time 8️⃣ On-boarding (client fees) that dominates in-boarding (product fees) 9️⃣ Retail banking, becoming more automated and advice-oriented 🔟 Holistic advice, spanning beyond banking to support clients everywhere and anytime they need. While digitalisation of advisory models grows in relevance, real success in financial advice comes from managing "human instability" (in the process of investors’ profiling on our irreversible time) in relation to the "instability of financial markets" (fundamental uncertainty). And while regulators are still attempting to rebalance an unbalanced system with a bottom-up approach, strengthening regulation of financial markets (MiFIR) and their participants (MiFID II, Priips, Basel, Solvency) or driving the price for risk (lowering rates) ... here is the KEY TAKEAWAY that makes this book strategic and inspiring for you to read whatever regulatory framework you are in as a wealth manager, asset / investment manager, hedge fund manager or financial advisor: 👉 Only a risk-based approach, based on goal-based investing principles, will help you to manage all aspects of human and market instability to generate value for clients ... that your clients are willing to pay for transparently to you 👈 Thanks in advance for the time you will invest to read my work.

The The Fair Work Ombudsman has just released its Payroll Remediation Program Guide (PRP). 💡 TL;DR: Own the issue. Fix it fast. Put people first. Document everything. Talk to the FWO early. 🧾 Payroll Remediation Program (PRP) – Key Takeaways (FWO Guide | April 2025) If your business discovers payroll compliance issues, the FWO encourages a structured, employee-centred approach to remediation. This guide outlines how to run a compliant, transparent, and efficient PRP. 🔑 10 Features of a Model PRP 1. Fair, accurate, and transparent 2. Clear governance and documentation 3. Timely delivery with proper resourcing 4. Employee-first mindset 5. Genuine consultation with staff/unions 6. Simple processes for affected workers 7. Data gaps? Give employees the benefit of the doubt 8. Proactive, responsive communications 9. Real-time learning and improvement 10. Full transparency with FWO ⚙️ Key Steps in Building a PRP - Discovery: Identify issues, scope, and systems involved - Methodology: Use robust data analysis, risk reviews, and assumption models - Governance: Ensure senior oversight, clear documentation, and independent validation - Payments: Include interest and breakdowns, offer review channels - Former staff: Make real efforts to track and pay them, or lodge with the Commonwealth if not possible - Future-proofing: Fix systems, improve culture, add ongoing compliance checks 📣 Comms Matter - Communicate early, often, and clearly - Tailor messaging for different employee groups - Avoid legal jargon or pay secrecy clauses - Provide breakdowns, clear contact points, and options to dispute 📬 When to Notify FWO - Not required for small isolated errors (if resolved fast) - Recommended for broader/systemic issues—even if all facts aren’t known yet 📚 Full resource in the comments